8.4 Protecting Your Data

There is a strong overlap between the physical security of your computer systems and the privacy and integrity of your data. After all, if somebody steals your computer, they probably have your data. Unfortunately, there are many attacks on your data that can circumvent the physical measures mentioned in earlier sections.

This section explores several different types of attacks on data and discusses approaches for protecting against these attacks. It recapitulates some advice given elsewhere in the book in the context of physical security.

8.4.1 Eavesdropping

Electronic eavesdropping is perhaps the most sinister type of data piracy. Even with modest equipment, an eavesdropper can make a complete transcript of a victim's actions—every keystroke and every piece of information viewed on a screen or sent to a printer. The victim, meanwhile, usually knows nothing of the attacker's presence and blithely goes about his work, revealing not only sensitive information but also the passwords and procedures necessary for obtaining even more information.

In many cases, you cannot possibly know if you're being monitored. Sometimes you will learn of an eavesdropper's presence when the attacker attempts to make use of the information obtained. Often, you cannot prevent significant damage at that point. With care and vigilance, however, you can significantly decrease the risk of being monitored.

Encryption provides significant protection against eavesdropping. Thus, in many cases, it makes sense to assume that your communications are being monitored and to encrypt all communications as a matter of course.

8.4.1.1 Wiretapping

By their very nature, electrical wires are prime candidates for eavesdropping (hence the name wiretapping). An attacker can follow an entire conversation over a pair of wires with a simple splice—sometimes without even touching the wires physically: a simple induction loop coiled around a terminal wire is enough to pick up most voice and RS-232 communications. Similar measures are effective for monitoring local area networks. Reportedly, national-level intelligence agencies have been able to wiretap underwater optical cables by analyzing the electrical emissions from amplifiers and repeaters.

Here are some guidelines to prevent wiretapping:

Routinely inspect all wires that carry data (especially terminal wires and telephone lines used for modems) for physical damage.
Protect your wires from monitoring by using shielded cable. Armored cable provides additional protection.
If you are very security conscious, place your cables in a steel conduit. In high-security applications, the conduit can be pressurized with gas; gas pressure monitors can be used to trip an alarm system in the event of tampering. However, these approaches are expensive to install and maintain.

8.4.1.2 Eavesdropping over local area networks (Ethernet and twisted pairs)

Local area networks that are based on Ethernet or on a twisted pair are susceptible to eavesdropping; simply plugging a packet monitor into an unused network connection can often allow an attacker to intercept the entire contents of the local area network traffic. For this reason, unused offices should not have live Ethernet or twisted-pair ports inside them; disable these ports at your wiring closet.

Many organizations have used Ethernet switches to increase the capacity of their networks. A switch does not rebroadcast all traffic to all ports as if they were on a shared Ethernet; instead, it determines the hardware address of each machine on each line, and sends a computer only the packets that it should receive. Switches can significantly improve the security of these networks by minimizing the potential for eavesdropping. Nevertheless, you should not rely on switches for your security: a sufficiently skilled attacker can even monitor a switched LAN.

You may wish to periodically scan all of the Internet numbers that have been allocated to your subnet to make sure that no unauthorized Internet hosts are operating on your network. You can also run LAN monitoring software and have alarms sound each time a packet is detected with a previously unknown Ethernet address.

The freely available Unix program arpwatch will monitor your local area network for new Ethernet cards and alert you when they are detected; arpwatch also reports when an Ethernet MAC address starts using a different IP address. On the other hand, arpwatch can't detect a passively tapped connection using a cable with its transmit leads cut.

Some Ethernet hubs and switches can be set to monitor the IP numbers of incoming packets. If a packet comes in from a computer connected to the hub that doesn't match what the hub has been told is correct, it can raise an alarm or shut down the link. This capability helps prevent various forms of Ethernet spoofing. Some hubs can also be configured with MAC address filtering or lock-down, so that if an unauthorized MAC address is used on a port, that port will be automatically disabled.

8.4.1.3 Eavesdropping on 802.11 wireless LANs

In recent years, high-speed wireless LANs have become increasingly popular at many universities and corporations. Presently, these systems are not secure. Even when the so-called WEP encryption system is in use, it is possible for an attacker to masquerade as an authorized user and gain access to the wireless LAN. The information moving through the air can also be trivially eavesdropped. Although some of the WEP security issues are being addressed, wireless LANs should not be used in security-conscious environments. If a wireless LAN must be used in your environment, locate the Wireless Access Point outside your organization's firewall (or between two firewalls) and require your users to employ a second layer of encryption, such as a VPN or SSL.

8.4.1.4 Eavesdropping by radio and using TEMPEST

Every piece of electrical equipment emits radiation in the form of radio waves. Using specialized equipment, it is possible to analyze the emitted radiation generated by computer equipment and determine the calculations that caused the radiation to be emitted in the first place.

Radio eavesdropping is a special kind of tapping that security agencies (in the U.S. these agencies include the FBI, CIA, and NSA) are particularly concerned about. In the 1980s, a certification system called TEMPEST was developed in the U.S. to rate the susceptibility of computer equipment to such monitoring. Computers that are TEMPEST-certified are generally substantially less susceptible to radio monitoring than computers that are not, but they are usually more expensive and larger because of the extra shielding.

As an alternative to certifying individual computers, you can TEMPEST-certify rooms or entire buildings. Several office buildings constructed in Maryland and northern Virginia are encased in a conductive skin that dampens radio emissions coming from within. As the majority of RF emissions that can be analyzed result from video monitors, it is possible to minimize these emissions by using specially designed screen fonts. Professor Ross Anderson at the University of Cambridge (http://www.cl.cam.ac.uk/users/rja14/) has developed such a set of fonts that he calls Soft Tempest; the fonts can be downloaded from http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip.

Although TEMPEST is not a concern for most computer users, the possibility of electronic eavesdropping by radio should not be discounted. Performing such eavesdropping is much easier than you might expect. It is possible to find plans published on the Internet that will allow you to build low-cost eavesdropping devices that work against common PCs.

8.4.1.5 Fiber optic cable

A good type of physical protection is to use fiber optic media for a network. It is more difficult to tap into a fiber optic cable than it is an insulated coaxial cable. Successful taps often require cutting the fiber optic cable first, thus giving a clear indication that something is amiss (although an optical " vampire" tap exists that can tap a fiber optic network simply by clamping down on the cable). Fiber optic cabling is also less susceptible to signal interference and grounding. However, fiber is sometimes easier to break or damage, and more difficult to repair than copper cables.

8.4.1.6 Keyboard monitors

Several companies sell small keyboard monitors that can be physically connected between a keyboard and a computer. These monitors capture every keystroke as it is typed. They are impossible to detect with software. To dump the contents of the memory, the eavesdropper must have physical access to the computer and type a password on the keyboard. The keyboard monitor then displays a menu that allows the operator to dump or clear its memory. A typical device costs $50 and has 128 KBs of memory; slightly costlier versions may have 2 MBs of memory or more.

8.4.2 Protecting Backups

Backups should be a prerequisite of any computer operation—secure or otherwise—but the information stored on backup tapes is extremely vulnerable. When the information is stored on a computer, the operating system's mechanisms of checks and protections prevent unauthorized people from viewing the data (and can possibly log failed attempts). After information is written onto a backup tape, anybody who has physical possession of the tape can read its contents.

For this reason, protect your backups at least as well as you normally protect your computers themselves.

Here are some guidelines for protecting your backups:

Don't leave backups unattended in a computer room that is generally accessible. Somebody could take a backup and then have access to all of the files on your system.
Don't entrust backups to a messenger who is not bonded.
Sanitize backup tapes before you sell them, use them as scratch tapes, or otherwise dispose of them. (See Section 8.4.3 later in this chapter.)
Most backup programs allow you to encrypt the data before it is written to a backup. Encrypted backups dramatically reduce the chances that a backup tape or CD-ROM, if stolen, will be usable by an adversary. If you use a cryptographic backup system, it is important that you protect your key—both so that an attacker will not learn the key, and so that your key will not be lost in the event that you have a change of staff.

Chapter 18 contains complete information on backups.

8.4.2.1 Verify your backups

You should periodically verify your backups to make sure they contain valid data. You need to verify backups that are months or years old in addition to backups that were made yesterday or the week before. Sometimes, backups in archives are slowly erased by environmental conditions. Magnetic tape is also susceptible to a process called print through , in which the magnetic domains on one piece of tape wound on a spool affect the next layer.

The only way to find out if this process is harming your backups is to test them periodically. You can also minimize print through by spinning your tapes to the end and then rewinding them, because the tape will not align in the same way when the tape is rewound. We recommend that at least once a year, you check a sample of your backup tapes to make sure that they contain valid data.

8.4.2.2 Protect your backups

Many of the hazards to computers mentioned in the first part of this chapter are equally hazardous to backups. To maximize the chances of your data's surviving in the event of an accident or malicious incident, keep your computer system and your backups in different locations.

8.4.3 Sanitizing Media Before Disposal

When you discard disk drives, CD-ROMs, or tapes, make sure that the data on the media has been completely erased. This process is called sanitizing.

Simply deleting a file that is on your hard disk doesn't delete the data associated with the file. Parts of the original data—and sometimes entire files—can usually be easily recovered. When you are disposing of old media, be sure to destroy the data itself, in addition to the directory entries. One way to do this is to use the dd command to overwrite the active drive with random data. There are also special-purpose disk sanitation tools that can be used for additional assurances.

Modern hard disks pose a unique problem for media sanitizing in classified environments because of the large amount of hidden and reserved storage. A typical 80-GB hard disk may have several megabytes of additional storage; some of this storage is used for media testing and bad-block remapping, but much of it is unused during normal operations. With special software, you can access this reserved storage area; you could even install "hard disk viruses" that can reprogram a hard disk controller, take over the computer's peripheral bus, and transfer data between two devices, or feed faulty data to the host computer. For these reasons, hard disks that have held classified information must be sanitized with software that is specially written for each particular disk drive's model number and revision level.

If you are a system administrator, you have an additional responsibility to sanitize your backup tapes before you dispose of them. Although you may not think that any sensitive or confidential information is stored on the tapes, your users may have been storing such information without your knowledge.

For tapes, you can use a bulk eraser, which is a hand-held electromagnet that has a hefty field. Experiment with reading back the information stored on tapes that you have "bulk erased" until you know how much erasing is necessary to eliminate your data. You can sometimes use these same erasers on disks, but modern disks use such high densities of information, and require specially recorded "timing tracks," that use of a bulk eraser may keep you from using the disk but not really eliminate the information on it.

Do not place your bulk eraser near your disks or good tapes! Also beware of placing the eraser on the other side of a wall from your disks or tapes. People who have pacemakers or other kinds of implants should be warned not to approach the eraser while it is operating.

Some software exists that overwrites optical media, thus erasing the contents of even write-once items. However, the effectiveness of these methods varies from media type to media type, and the overwriting may still leave some residues. For this reason, physical destruction is preferable.

Unfortunately, physical destruction is getting harder and harder to do. While incinerators do a remarkably good job of destroying tapes, stringent environmental regulations have forced many organizations to abandon this practice. Organizations have likewise had to give up acid baths. Until recently, crushing was preferred for hard disk drives and disk packs. But as disk densities get higher and higher, disk drives must be crushed into smaller and smaller pieces to frustrate laboratory analysis of the resulting material. As a result, physical destruction is losing popularity when compared with software-based techniques for declassifying or sanitizing computer media.

One common sanitizing method involves overwriting the entire tape. If you are dealing with highly confidential or security-related materials, you may wish to overwrite the disk or tape several times, because data can be recovered from tapes that have been overwritten only once. Commonly, tapes are overwritten three times—once with blocks of 0s, then with blocks of 1s, and then with random numbers. Finally, the tape may be degaussed—or run through a bandsaw several times to reduce it to thousands of tiny pieces of plastic.

We recommend that you thoroughly sanitize all media before disposal by choosing a method that is best suited to your level of risk and need.

8.4.4 Sanitizing Printed Media

In the previous section, we discussed the importance of erasing magnetic media before disposing of it. However, magnetic media is not the only material that should be carefully "sanitized" before disposal. Other material that may find its way into the trash may contain information that is useful to criminals or competitors. This includes printouts of software (including incomplete versions), memos, design documents, preliminary code, planning documents, internal newsletters, company phone books, manuals, and other material.

Obviously, some program printouts might be used against you, especially if enough printouts are collected over time to derive a complete picture of your software development and web organization. If the code is commented well enough, it may also give away clues as to the identity of beta testers and customers, testing strategies, and marketing plans.

Other material may be used to derive information about company personnel and operations. With a company phone book, someone could masquerade as an employee over the telephone and obtain sensitive information, including dialup numbers, account names, and passwords. Sounds far-fetched? Think again—there are numerous stories of such social engineering. The more internal information an outsider has, the more easily he can obtain sensitive information. By knowing the names, office numbers, and extensions of company officials and their staff, he can easily convince an overworked and undertrained operator that he needs to violate the written policy—or incur the wrath of the "vice president"—on the phone.

Other information that may find its way into your dumpster includes the types and versions of your operating systems and computers, serial numbers, patch levels, and so on. It may include hostnames, IP numbers, account names, and other information critical to an attacker. We have heard of some firms disposing of listings of their complete firewall configuration and filter rules—a gold mine for someone seeking to infiltrate the computers.

How will this information find its way into the wrong hands? Well, dumpster diving or trashing is one such way. After hours, someone intent on breaking your security could be rummaging through your dumpster, looking for useful information. In one case we heard recounted, a "diver" dressed up as a street person (letting his beard grow a bit and not bathing for a few days) splashed a little cheap booze on himself, half-filled a mesh bag with empty soda cans, and went to work. As he went from dumpster to dumpster in an industrial office park, he was effectively invisible: busy and well-paid executives seem to see through the homeless and unfortunate. If someone began to approach him, he would pluck invisible bugs from his shirt and talk loudly to himself. In the one case where he was accosted by a security guard, he was able to the convince the guard to let him continue looking for "cans" for spare change. He even panhandled the guard to give him $5 for a meal!

Perhaps you have your dumpster inside a guarded fence. But what happens after it is picked up by the trash hauler? Is it dumped where someone can go though the information off your premises?

Consider carefully the value of the information you throw away. Consider investing in shredders for each location where information of value might be thrown away. Educate your users not to dispose of sensitive material in their refuse at home, but to bring it in to the office to be shredded. If your organization is large enough and local ordinances allow, you may also wish to incinerate some sensitive paper waste on-site.

Home users are also vulnerable to this kind of scavenging. Unsanitized disposal of papers with passwords or system information, credit card receipts and bills, and personal documents may lead to unwanted intrusions (into privacy as well as web pages). A personal shredder can be purchased for a small amount of money at any large discount store or office supply outlet. This should be routinely used on documents that may contain any sensitive information.

8.4.5 Protecting Local Storage

In addition to computers and mass-storage systems, many other pieces of electrical data-processing equipment store information. For example, terminals, modems, and laser printers often contain pieces of memory that may be downloaded and uploaded with appropriate control sequences.

Naturally, any piece of memory that is used to hold sensitive information presents a security problem, especially if that piece of memory is not protected with a password, encryption, or other similar mechanism. However, the local storage in many devices presents an additional security problem, because sensitive information is frequently copied into such local storage without the knowledge of the computer user.

8.4.5.1 Printer buffers

Many high-speed laser printers are programmable and contain significant amounts of local storage. (Some laser printers have internal hard disks that can be used to store hundreds of megabytes of information.) Some of these printers can be programmed to store a copy of any document printed for later use. Other printers use the local storage as a buffer; unless the buffer is appropriately sanitized after printing, an attacker with sufficient skill can retrieve some or all of the contained data. The same is true of some networked fax machines.

8.4.5.2 Printer output

One form of local storage you may not think of is the output of your workgroup printer. If the printer is located in a semipublic location, the output may be vulnerable to theft or copying before it is claimed. You should ensure that printers, plotters, and other output devices are in a secured location. Fax machines face similar vulnerabilities.

8.4.5.3 X terminals

Many X Window terminals have substantial amounts of local storage. Some X terminals even have hard disks that can be accessed from over the network. Few support any cryptographic protocols.

Here are some guidelines for using X terminals securely:

If your users work with sensitive information, they should turn off their X terminals at the end of the day to clear the terminals' RAM memory.
If your X terminals have hard disks, you should be sure that the terminals are password-protected so that they cannot be easily reprogrammed over the network. Do not allow service personnel to remove the X terminals for repair unless the disks are first removed and erased.

8.4.5.4 Function keys

Many smart terminals are equipped with function keys that can be programmed to send an arbitrary sequence of keystrokes to the computer whenever a function key is pressed. If a function key is used to store a password, then any person who has physical access to the terminal can impersonate the terminal's primary user. If a terminal is stolen, then the passwords are compromised. Therefore, we recommend that you never use function keys to store passwords or other kinds of sensitive information (such as cryptographic keys).

8.4.6 Unattended Terminals

Unattended terminals where users have left themselves logged in present a special attraction for vandals (as well as for computer crackers). A vandal can access the person's files with impunity. Alternatively, the vandal can use the person's account as a starting point for launching an attack against the computer system or the entire network: any tracing of the attack will usually point fingers back toward the account's owner, not to the vandal. Not only does this scenario allow someone to create a "back door" into the account of the user involved, and thus gain longer-term access, but an untrained attacker could also commit some email mayhem. Imagine someone sending email, as you, to the CEO or the Dean, making some lunatic and obscene suggestions? Or perhaps email to whitehouse.gov with a threat against the President?^[5] Hence, you should never leave terminals unattended for more than short periods of time.

^[5] Don't even think about doing this yourself! The Secret Service investigates each and every threat against the President, the President's family, and certain other officials. They take such threats very seriously, and they are not known for their senses of humor while on official business. They are also very skilled at tracking down the real culprit in such incidents—we know from observing their work on a number of occasions. These threats simply aren't funny, especially if you end up facing federal criminal charges as a result.

Some systems have the ability to log off a user automatically—or at least blank his screen and lock his keyboard—when the user's terminal has been idle for more than a few minutes.

8.4.6.1 Built-in shell autologout

If you use the C shell under Unix, you can use the autologout shell variable to log you out automatically after you have been idle for a specified number of minutes. Normally, this variable is set in your ~/.cshrc file. (Note that the autologout variable is not available under all versions of the C shell.)

For example, if you wish to be logged out automatically after you have been idle for 10 minutes, place this line in your ~/.cshrc file:

set autologout=10

Note that the C shell will log you out only if you idle at the C shell's command prompt. If you are idle within an application, such as a word processor, you will remain logged in.

ksh (the Korn shell) and bash have a TMOUT variable that performs a similar function. TMOUT is specified in seconds:

TMOUT=600

8.4.6.2 Screensavers

You may wish to use a screensaver that automatically locks your workstation after the keyboard and mouse have been inactive for more than a predetermined number of minutes. There are many screensavers to chose from on a variety of platforms, including Unix, Mac OS, and Windows NT.

Many vendor-supplied screensavers respond to built-in passwords in addition to the user's passwords. The Unix lock program, for example, once had a back door that would allow any user's terminal to be unlocked with the password hasta la vista—and this fact was undocumented in the manual. Unless you have the source code for a program, there is no way to determine whether it has a back door of any kind. You would be better off using a vendor-supplied locking tool than leaving your terminal unattended and unlocked while you go for coffee. But be attentive, and beware.

8.4.7 Key Switches

Some kinds of computers have key switches that can be used to prevent the system from being rebooted in single-user mode. Some computers also have ROM monitors that prevent the system from being rebooted in single-user mode without a password. Sun's OpenBoot system and all new Macintosh systems support use of a password to control boot configuration access.

Key switches and ROM monitor passwords provide additional security and should be used when possible.^[6] However, you should also remember that any computer can be unplugged. The most important way to protect a computer is to restrict physical access to that computer.

^[6] There is another good reason to set ROM monitor passwords. Consider what would happen if an attacker found a machine, set the password himself, and turned it off.